Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InvalidIdentityValues error when trying to update api management resource with azapi_update_resource #682

Open
lucymullins opened this issue Nov 26, 2024 · 1 comment
Open

InvalidIdentityValues error when trying to update api management resource with azapi_update_resource #682

lucymullins opened this issue Nov 26, 2024 · 1 comment
Labels
upstream-swagger

Comments

@lucymullins
Copy link

lucymullins commented Nov 26, 2024
edited
Loading

I'm trying to add a self hosted gateway custom domain via terraform that is missing in the azurerm provider within the api mangement resource. I have tried the 2023-01-01-preview, 2022-08-01 and 2021-08-01 api versions but still get the same error. I have also tried explicitly referencing the identity with identical configuration to the one present in the azurerm resource but no luck. This is my code.

resource "azapi_update_resource" "custom_domain_configuration" {
type = "Microsoft.ApiManagement/service@2021-08-01" # API Version

resource_id = azurerm_api_management.apimanagement.id

body = {
properties = {
hostnameConfigurations = [
{
type = "ConfigurationApi" # For configuration API
hostName = "${var.apim_shgwep_prefix}.${var.private_dns_zone_name}" # Custom domain
keyVaultId = data.azurerm_key_vault_certificate.apim-shgwep-server-pfx.versionless_secret_id
defaultSslBinding = false
}
]

}

}
}

Expected behaviour:
The update should run successfully and the custom domain added to api management resource

Actual behavior:
The error below occurs

╷ │ Error: Failed to update resource │ │ with azapi_update_resource.custom_domain_configuration, │ on apim.tf line 113, in resource "azapi_update_resource" "custom_domain_configuration": │ 113: resource "azapi_update_resource" "custom_domain_configuration" { │ │ updating "Resource: (ResourceId │ \"/subscriptions/***(https://github.com***)***/resourceGroups/***-01/providers/Microsoft.ApiManagement/service/apimanagement-dev-uksouth-01\" │ / Api Version \"2021-08-01\")": PUT │ https://management.azure.com/subscriptions/***](https://github.com/***l/apim-mvp-infra/actions/runs/12035941177/job/**/resourceGroups/***-01/providers/Microsoft.ApiManagement/service/apimanagement-dev-uksouth-01 │ -------------------------------------------------------------------------------- │ RESPONSE 400: 400 Bad Request │ ERROR CODE: InvalidIdentityValues │ -------------------------------------------------------------------------------- │ { │ "error": { │ "code": "InvalidIdentityValues", │ "message": "Invalid value for the identities '/subscriptions/****/resourcegroups/rg-mvp-apim-dev-uksouth-01/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-apim-dev-uksouth-01'. The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property." │ } │ }
@ms-henglu
Copy link
Member

Hello @lucymullins ,

Thank you for taking time to report this issue.

The azapi_update_resource calls GET to retrieve the latest status of an existing resource, then combine with the configuration defined in the body, then use an embedded schema to remove the readonly fields and send PUT request to update the resource.

I noticed that the definition of user assigned identity is incorrect in the rest api spec, so azapi couldn't remove the readonly fields correctly.

I have some workarounds, hope they could help:

// use the azapi_resource_action to perform the update, however it couldn't monitor the resource change made outside Terraform
resource "azapi_resource_action" "test" {
  type        = "Microsoft.ApiManagement/service@2024-05-01"
  resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ApiManagement/service/apim"
  method      = "PATCH"
  body = {
    properties = {
      hostnameConfigurations = [
        {
          hostName = ""
          type     = ""
        }
      ]
    }
  }
}

// use the `azapi_resource` to mange the full lifecycle of this resource
resource "azapi_resource" "service" {
  type      = "Microsoft.ApiManagement/service@2024-05-01"
  parent_id = "The id of the Microsoft.Resources/resourceGroups@2020-06-01 resource"
  name      = "The name of the resource"
  location  = "location"
  body = {
    properties = {
      certificates = [
      ]
      customProperties = {
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30" = "false"
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10" = "false"
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11" = "false"
      }
      disableGateway      = false
      publicNetworkAccess = "Enabled"
      publisherEmail      = "[email protected]"
      publisherName       = "pub1"
      virtualNetworkType  = "None"
    }
    sku = {
      capacity = 1
      name     = "Developer"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  timeouts {
    create = "180m"
    update = "180m"
    delete = "180m"
  }

}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream-swagger
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ms-henglu @lucymullins